Blackhat: Recovering from Shamoon

Monday, August 10, 2015 @ 05:08 PM gHale

By Gregory Hale
Shamoon was a brutal attack that took down 35,000 computers at oil giant Saudi Aramco back in 2012.

While the production end of the operation remained safe, Aramco realized they need to strengthen its IT security outside of headquarters in the EMEA (Europe, Middle East and Africa) region.

Blackhat: Satellite Hack has ICS Connection
Blackhat: Free, Open Internet Dying
Tesla Patches Auto after Software Hack
Security Alarms Sounding with Smartwatches

That is where Christina Kubecka comes in. Aramco hired her to start up and strengthen security at Saudi Aramco’s affiliate Aramco Overseas.

“(Shamoon) started off as a spearphishing email and when it got internal through a PC, it swept through as many computers as it could and began wiping them August 15, 2012,” said Kubecka during her Thursday talk entitled, “How to Implement IT Security after a Meltdown” at the Blackhat USA 2015 conference in Las Vegas. “Saudi Aramco and its affiliates immediately disconnected from the world and each other.”

Shamoon was a computer virus that attacks computers running Microsoft Windows. Shamoon was capable of spreading to other computers on the network, through exploitation of shared hard drives. Once a system suffers infection, the virus continues to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker. Finally, the virus will overwrite the master boot record of the system to prevent it from booting.

Saudi Aramco, RasGas and SAFCO all fell victim to the attack. It was a two-pronged attack during Ramadan, Kubecka said. Over 50 percent of Windows systems ended up affected and the virus corrupted 35,000 systems.

“A lot of things happened, but it was recoverable. It was almost like a Hollywood ending,” she said.

One of the things she understands is the difference between the ICS environment and the IT world. The levels of risk are quite different.

“What IT doesn’t understand is a power plant can’t do a quick reboot to start the system,” she said. “ICS was separated and that was fantastic.”

While production did not suffer from the attack, the aftermath was a problem for the entire country.

“Tanker trucks were lined up for miles waiting to get refined gasoline,” Kubecka said. “Seventeen days after the attack there were gasoline shortages around Saudi Arabia. ICS and IT networks remained isolated. There were no emails, no phones, and no fax machines.”

After the attack, Saudi Aramco realized they had no real security in the EMEA region outside Saudi Arabia.

Kubecka came onboard to start up a security program.

“We started from ground zero. Recruiting people was the big move.”

In terms of finding security experts, Kubecka said she didn’t have a big problem finding and hiring candidates because she did have a big budget. Some of the things she learned about hiring new employees include:
• Don’t cheap out; good analysts are hard to find
• Hackers are good candidates
• Provide rest for workers and don’t run them 24 hours a day. “If your analysts are well rested and enjoying what they are doing, they will do amazing things,” she said.
• Find a way to retain rock star candidates

Yes, job candidates want to good pay, she said, but most of all they want training to stay up to date with the latest technologies and ways to ward of attacks.

The security culture was pretty much non-existent up to and right after the attack, so she started a program within the company to create a security hero to help create a security environment.

“After we were set up, we became more that just a SNOC (Secure Network Operations Center), we were a security unit,” Kubecka said. “We wanted to be more proactive then reactive.”

Having a smart security system was the goal, but the aftermath of the attack did take its toll.

“I had never seen an attack like the Saudi Aramco attack,” she said. “Employees didn’t know what to do. Here was something they knew and seemed like there ended up being psychological damage with employees.”